- Even More States Join the Party — By the end of 2024, almost half of all U.S. states had enacted modern data privacy legislation. That trend will likely continue, particularly since a national data privacy statute may not be a top priority for the incoming administration.
- It’s Time for State Enforcement — Several states have begun “staffing up” with the goal of bringing more data privacy enforcement in 2025, and some no longer have mandatory cure periods. Putting aside California, early indications are that Texas and Connecticut may take the lead among the states in enforcement activity.
- It’s All About the Servers — Advertising technology’s transition from browser-side tracking technologies (cookies) to server-side tracking technologies (application programming interfaces or APIs) slowed in 2024. Nonetheless, the transition to server-side technologies continues; we may see it become the dominant medium for tracking in 2025 as organizations continue to work on aligning their digital advertising practices with applicable privacy laws.
- Sensitive Data Is Everywhere — Regulators and plaintiffs continue to focus their attention on the collection, use, and sharing of sensitive data types. That trend is expected to continue in 2025 with continued focus on companies that use or share geolocation or health information.
- Focus on Data Protection Impact Assessments (DPIAs) — The first states started requiring DPIAs two years ago, but regulators were reticent to demand that companies produce them. That has changed—state regulators have started requesting them and will continue requesting that companies produce DPIAs for data-processing activities that mandate them, like targeted advertising.